Wordpress sites: any way to head off malware posts automatically?

[RojBlake]

A user has a site with a Wordpress blog and someone recently tried to hack it by posting links malware PHP files (obfuscated as JPGs). The attack didn't work, but Google flagged this user's entire site as a malware distributor because of those links. Once the links were removed everything was fine, but in the meantime, anyone visiting the site would get that Google warning. This, obviously, is Not A Good Thing!

Is there any automated way of stopping this kind of stuff from happening? Some way of scanning blog posts for links to certain domains and then deleting them, perhaps? Or just a way of immediately changing the text of certain, specified links at post-time to something else, like Ars does with some of the link shortening sites?

(This is on CentOS 5, btw.)

 

[drag]

There are usually various plugins for blog software to provide 'proof of human' for comments and user authentication. Wordpress is very popular so there is a large number of items to choose from.

 

[pokrface]

You can use something like Akismet as a plug-in for the Wordpress commenting system to filter garbage out. Their reputation is very good.

 

[Jim Salter]

A user has a site with a Wordpress blog and someone recently tried to hack it by posting links malware PHP files (obfuscated as JPGs). The attack didn't work, but Google flagged this user's entire site as a malware distributor because of those links. Once the links were removed everything was fine, but in the meantime, anyone visiting the site would get that Google warning. This, obviously, is Not A Good Thing!

Is there any automated way of stopping this kind of stuff from happening? Some way of scanning blog posts for links to certain domains and then deleting them, perhaps? Or just a way of immediately changing the text of certain, specified links at post-time to something else, like Ars does with some of the link shortening sites?

(This is on CentOS 5, btw.)

I tend to recommend just not showing comments unless or until they're vetted by an editor, personally.

Obviously that won't work for EVERYBODY - but it works for the majority of places I see using WordPress.

There are also plugins aimed at filtering out bots. Bad Behavior is one of them.

 

[fruitco]

Start with Akismet, it's excellent. Then, if you still need, add a reCAPTCHA plugin.

 

[Jim Salter]

Dissenting opinion: Akismet really didn't do jack shit for me, plus the API key requirement always seems to annoy me in some inconvenient way.

I've had better results with plugins that actually look for "tells" of bot posting - for example POST without GET, POST too soon after GET, yadda yadda yadda. Stuff that plugins like Bad Behavior, WP-SpamFree, etc do. This isn't (necessarily) content-based, this is (mostly) activity based.

This is my opinion, and you're free to disagree with it

 

[stmiller]

- bad behavior with a http:BL Access Key. This works pretty well. I once had someone contact to say when trying to reach my blog he saw a friendly page, 'sorry, your network is serving up malware as detected by projecthoneypot and this site is unavailable via the network you are on'. Turns up they were on a chicago public library internet which was known for serving up spam and malware of various kinds.

- WP Captcha Free - works with no annoying captcha




And keep the number of plugins in use to a minimum. Wordpress hackers mainly get through from shoddy / un-kept plugins which create a vulnerability exploitable via comments or posting actions.